Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xpsp2--lan Continuous Outbound Signal


  • Please log in to reply
5 replies to this topic

#1 commart

commart

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:11:04 AM

Posted 21 September 2007 - 11:09 AM

This is my first post here, and I'm a little shy working on this mystery for several reasons. I've found as I've aged, my patience for "computtering" has diminished some--I may only do so much in a day or night. Also, I feel like I'm missing some "traffic controls" that everyone should have or that should be invented.

The problem:

The systems tray computer icon shows a continuous outbound signal, and I am curious about what data may be going where.

Defenses:

1. Black Ice Defender shows no intrusion records on the line; however, Black Ice "baselines" the hard drive to accept whatever programs are on it at the time of installation.

2. Neither Spybot nor Antivir scans have come up with known malware or other unexplained files.

3. Windows Defender drives me a little nuts, but it too reports nothing definite.

Using the Task Manager, there are no applications open on top of its reporting to indicate what's driving that outbound signal, but, of course, there are many processes. Most I've checked have traced back to known software.

Windows Defender has reported changes accepted involving a variety of UDP ports, but as I don't seem to have traffic coming in to indicate some kind of hack.

Okay, fellow detectives, that's about what I know for my machine.

To add a little bit, the machine is stand-alone with a wireless router ahead of it; I have been cutting the unit's LAN Internet connection for long periods to rid the system of the signal, which works for a while; the signal might represent some kind of internal loop, but I don't know how to look for that.

Advice, please.

BC AdBot (Login to Remove)

 


#2 commart

commart
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:11:04 AM

Posted 23 September 2007 - 02:06 PM

I've caught and deleted about two dozen cookies and thought, okay, that was the problem: the persistent signal had stopped for about 12 hours--but now it's back. I'm going to check through the scheduler for something launched while connected; I am wondering if the signal I see (and all the packets outbound) may be part of an internal communications loop.

Any help would be appreciated.

#3 commart

commart
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:11:04 AM

Posted 25 September 2007 - 07:05 AM

For the record:

1. In addition to deleting cookies, I started disabling unclaimed (no publisher) services, which included the following:

--"Diagnose Connections"
--"Helper Class"
--"Research"
--"Windows Messenger"

By name, they look like Microsoft administration aids but the "restart" afterward has produced no noticeable effects, and the "continuous outbound signal" has been absent for now about 20 hours.

I have not removed any related .exe files, so I may be able to investigate the set.

Somewhere on this system there's a folder or tabbed page listing programs and differentiating between ones shipped with the box and add-ons. The "Windows Messenger" program, which is not the one that says "Not Signed In" in my systems tray, appeared also as a programm added to the machine, and I took that as a hint.

This is tricky stuff.

A program like Black Ice "baselines" the unit to accept whatever is on it--or what the user approaves--when its installed, and as I'm not building the machine from scratch (clean install?), that's a problem.

Next: I want to look into passively retained encrypted or machine coded sensitive data, if any, that may persist on the local drive.

Edited by commart, 25 September 2007 - 07:06 AM.


#4 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,578 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:10:04 AM

Posted 25 September 2007 - 07:35 AM

Have you updated AntiVir recently? If not, do so. AntiVir loved to talk to itself over the local host port 18350 I think. And to some indicators it looked like continuous outbound. The most recent upgrade of AntiVir free stopped all that local chatter. That was about a week to 10 days ago, unfortunately I don't have it at work to tell you what the version is now.

You could run free TCPview, this will identify the local and remote addresses and ports used. You can then look at the PID (process id) in Task Manager to see what service is talking.
To get TCPview, google for TCPview, it's from SysInternals, now Microsoft. Good and clean, nothing fancy, just unzip and double click the .exe file, sit back and watch :thumbsup:

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,906 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:04 AM

Posted 25 September 2007 - 12:23 PM

CurrPorts v1.20
http://www.nirsoft.net/utils/cports.html

TCPView for Windows v2.51
http://www.microsoft.com/technet/sysintern...es/tcpview.mspx

DiamondCS OpenPorts v1.0
http://www.diamondcs.com.au/openports/

Online Port scanners
http://www.t1shopper.com/tools/port-scanner/
http://en.wikipedia.org/wiki/Port_scanner
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 commart

commart
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:11:04 AM

Posted 11 October 2007 - 05:37 PM

The signal is back!

However, Current ports lists only two Apple services running -- AppleMobileDeviceService and iTunesHelper.exe--and accessing a remote address that matches the local.

Here's a question: using the Current Ports utility, are there any out- or inbound comunications that would escape detection?

I've been treating the continuous outbound signal as an anamoly confined to the machine--no other network interaction involved.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users